Paddy Power confesses to data leak hitting 650,000 users

IRISH ONLINE BOOKMAKER Paddy Power has revealed that it was the victim of a data breach in 2010.

The bookmaker announced on its website yesterday that it has been working with Canadian police after a tip in May of this year and discovered the historical breach consisting of "individual customer's name, username, address, email address, phone contact number, date of birth and prompted question and answer".

However, it assured punters, "Customers' financial information such as credit or debit card details has not been compromised and is not at risk. Account passwords have also not been compromised.

"Paddy Power's account monitoring has not detected any suspicious activity to indicate that customers' accounts have been adversely impacted in any way."

Paddy Power MD of Online Peter O'Donovan told customers, "Robust security systems and processes are critical to our business and we continuously invest in our information security systems to meet evolving threats.

"This means we are very confident in our current security systems and we continue to invest in them to ensure we have best in class capabilities across vulnerability management, software security and infrastructure."

Commenting on the leak, Troy Gill, security analyst at Appriver explained, "There is no need for panic here since no financial or password info has actually been exposed.

"It might be a good idea for Paddy Power to reset the few things that can be changed for these customers such as question and response specifics and username. Of course these events at the very least serve as a great reminder to keep up good security practices - utilizing different passwords for each account - even if they are a minor inconvenience now, they could potentially save you a major inconvenience down the road.

"However, according to the disclosure from Paddy Power they do not believe that the passwords were ever stolen/exposed."

The company put the number of people affected by the breach at 649,055, all of whom it said are being contacted. The company is also advising users to monitor other websites at which they have used the same credentials.